anonhaven
Ad

CVE-2026-27129

MEDIUM CVSS 4.0: 5.7 EPSS 0.03%
Updated Feb 24, 2026
Craft
Parameter Value
CVSS 5.7 (MEDIUM)
Type CWE-918 (Server-Side Request Forgery (SSRF))
Vendor Craft
Public PoC No

Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, the SSRF validation in Craft CMS’s GraphQL Asset mutation uses `gethostbyname()`, which only resolves IPv4 addresses. When a hostname has only AAAA (IPv6) records, the function returns the hostname string itself, causing the blocklist comparison to always fail and completely bypassing SSRF protection.

This is a bypass of the security fix for CVE-2025-68437. Exploitation requires GraphQL schema permissions for editing assets in the `<VolumeName>` volume and creating assets in the `<VolumeName>` volume. These permissions may be granted to authenticated users with appropriate GraphQL schema access and/or Public Schema (if misconfigured with write permissions).

Versions 4.16.19 and 5.8.23 patch the issue.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Attack Requirements
None
No additional conditions
Privileges Required
Low
Basic privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
None
No data leak
Integrity
High
Complete data modification
Availability
None
No disruption

CVSS Vector v4.0

Weakness Type (CWE)

CWE-918 Server-Side Request Forgery (SSRF)

References 3

https://github.com/craftcms/cms/commit/2825388b4f32fb1c9bd709027a1a1fd192d709a3
security-advisories@github.com
https://github.com/craftcms/cms/security/advisories/GHSA-v2gc-rm6g-wrw9
security-advisories@github.com
https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-31858

Craft

8.7

CVE-2026-31857

Craft

8.1

CVE-2026-29113

Craft

2.3

CVE-2026-27128

Craft

6.9

CVE-2026-27127

Craft

7.0